How to setup systemd service for suricata

I’ve decided on using suricata rather than making a flake for snort 3.
I am using Nixos unstable channel with home manager as a module.

I would like to use a simple config for suricata in IPS mode. Do I add something like this to my configuration.nix?

systemd.services.suricata = {
    description = "Suricata IDS/IPS";
    wantedBy = ["multi-user.target"];
    serviceConfig = {
    type = "simple";
    ExecStart = "?";
    Restart = "on-failure";
  };
};

Also, should its config file be made with environments.etc or with home.file?

environment.etc."suricata.yaml".source = pkgs.writeTextFile {
  name = "suricata.yaml";
  text = ''
    contents
  '';
};

Another question I had forgot to ask.

Does the default nixos firewall provide sufficient intrusion prevention or is it prudent to set it up via a package? Not sure if there is a built in service like clamav.

Yea, something like that.

If suricata is packaged already, you can reference the binary in ExecStart, and optionally provide arguments to the command invocation.

ExecStart = “${pkgs.suricata}/bin/suricata”;

You could put the config file in the default location suricata looks in. Alternatively, reference the nix built file (from writeText) in the ExecStart command if suricata has an flag for it.

If you’re not trying to upstream a module, you don’t need to add any polish or make deeper considerations on the interface.

The firewall is enabled by default: NixOS 24.05 manual | Nix & NixOS

Clamav has a module available: https://nixos.org/manual/nixos/unstable/options#opt-services.clamav.daemon.enable

Suricata should run as a system service, not a user service. So it doesn’t make sense to put the config file in a home directory using home manager.

Thank you.

I was able to find the config file from the git repo.

From there I can add the contents to the correct location.